discovery
+ grab a snapshot of host activity like processes, net connections, arp cache, logged in users, more
+ … do the above over a period of time to get a sense of how the machine is used and by whom
+ detect security controls: A/V & auditd rules
+ grab ssh keys
+ serialize discovery data as JSON for easy consumption later

antiforensics
+ encrypted payload functions
— when the backdoor is at rest (not performing an operation), the interesting pieces of payload are encrypted in memory. This is accomplished by receiving a command -> decryption -> execution -> re-encryption. The control channel supports OTP– each command sent to the backdoor has the option of providing a new key. The need to re-encrypt with a new key goes away when diffie-hellmann is implemented for key exchange.
— this feature isn’t useful for an opensource backdoor….um ok. did I mention extensibility?
+ userspace command execution isn’t picked up by auditd or traditional kprobing
I’m debating whether to write a LiME memory dump modifier to tamper with accurate memory dumps. Maybe too devious.

howtodetect
+ you’ll have a tainted kernel if you “allow signed modules, but don’t require them”
+ all legitimate kernel modules will need to be signed for an unsigned module to be noticed
— you still need to safely get the fact that the kernel is tainted off the system somehow
— the kernel can be tainted for reasons other than unsigned driver loading, so pay attention to the taint code
+ volatility can show you there’s a netfilter hook in place. you probably aren’t expecting any, so this is usually high signal.
— you can then reverse this piece of the module, but shouldn’t be able to analyze the payload without the key
— unless something like diffie-hellmann is used for key exchange, you can capture the key over the network to decrypt payload
+ so it still means you need memory dump & pcap to analyze the payloa